DeleteComputer & BitLocker

Aug 17, 2011 at 7:00 PM

Hi,

I am having a problem using the DeleteComputer function when the computer account contains a Bitlocker recovery key. It appears that storing the bitlocker key in AD changes the computer account from a leaf object to a container object. I see the following entires in the webservice log when attempting to run the deletecomputer function:

 

    Delete Active Directory object "LDAPpathofPC". DeleteChildren = False.
    Exception: The directory service can perform the requested operation only on a leaf object.

Is it possible to set the DeleteChildren to true? Or is there another way around this issue?

Scott

Aug 21, 2011 at 1:49 PM
Edited Aug 21, 2011 at 2:15 PM

Are you running 2008 R2 for your domain? If so as a DA what i have notices is that every time i try an delete a system with a Bitlocker key it prompts me as a DA with an "are you sure?" type of message.

This is because it now has a " BitLocker Recovery Information which is a child object."  

So i dont know that deleting the a container object will be sufficient. you may need to delete the child object first.

I've been looking for a VBscript for this but haven't found one yet.

 

***********************

Edit

 

This is probably close to what we are looking for:

http://halr9000.com/article/916

quick summary it is a permission issue so you need to use powershell to change things (or a VB equivalent)

PS> $c | Add-QADPermission -Account 'EVERYONE' -Rights 'Delete,DeleteTree' -ApplyTo 'ThisObjectOnly'
PS> $c | Remove-QADObject –DeleteTree

not 100% sure though as i am home but i can test tomorrow.

Coordinator
Aug 25, 2011 at 7:03 AM

The DeleteComputer function is limited to objects that doesn't contain child objects. With Release 7.3 a new function will be available called DeleteComputerForced that will be able to also delete computers, that have child objects like the bitlocker information. Would be great if you could download the latest Beta (5) and test the functionionality in your environment.

Maik

Aug 25, 2011 at 11:32 AM

Thanks Maik. I downloaded Beta5 and cannot find the DeleteComputerForce function. That being said, ad.asmx and adex.asmx appear to have the same functions.

Coordinator
Aug 25, 2011 at 2:50 PM

As these functions are pretty dangerous, they are disabled on default. Please have a look in the web.config and update the value of the Application Setting "ExcludeADFunctions". Just remove the "DeleteComputerForced" entry and it should pop up.

And yes, AD.asmx and ADEx.asmx are pretty similar regarding the name of the functions. But ADEx.asmx supports Multiple Domains.

Regards

Maik

Aug 25, 2011 at 3:10 PM

Thanks again Maik, Testing now. Will let you know the results.

You have done a great job on this webservice!

Aug 25, 2011 at 3:40 PM

First test was successful! Deleted a computer account that had a Bitlocker recovery key. I'll post full test results when we finish.

Aug 25, 2011 at 10:10 PM
Will do tomorrow :-)

Thanks,

Christopher Stauffer <
Enterprise SMS Admin
MCTS ConfigMgr 2007
MCP SMS 2003
mail: CStauffer@myitforum.com
Blog: http://myitforum.com/cs2/blogs/cstauffer/
Aug 25, 2011 at 10:17 PM
Maik you rock. You just gave me an idea to add to my TS and with web tools
i am developing :-)

Thanks,

Christopher Stauffer <
Aug 26, 2011 at 1:32 PM
Force Delete works nice hear as well.

Maik, would it be possible to have the webservice ask for different
Credentials when doing a "forced delete".
We audit like crazy and when a machine is disabled or deleted we need to
know exactly who did it. A service account is not sufficient.


Thanks,

Christopher Stauffer <
Coordinator
Aug 30, 2011 at 2:41 PM

To be honest, that's exactly what I didn't wanted to have. Just another solution that comes with a security model ;-)

But there are a couple ways you could solve this problem.

One solution could be to use two (or more) web service instances. One is used for the common functions that can be used by almost anybody or the account used for deployment or whatever. The other functions are simply excluded from this version. And a second version that is only used for the functions excluded by the first one that can be used by just a few users. Or you could even enable pass-through authentication for those functions so that the credentials of the calling account would be used to execute the function. Have a look at my blog as I will publish a description on how to use the new simple security model of the updated version 7.3 to exclude or include specific functions.

And regarding logging. There is a quite powerful logging engine running in the web service. Its main purpose is to log errors etc, but it can be configured even during runtime and can export things like calling user, timestamp, etc. See the Troubleshooting section (http://mdtcustomizations.codeplex.com/wikipage?title=Webservice%20Troubleshooting) for some more info on this. So with some tweaking, you could create some messages that just log what user is calling what function. Might be a good topic for another blog post though ;-)

Regards

Maik

Aug 30, 2011 at 3:20 PM
The pass through sounds like the solution i am looking for. Can you point
me in a direction to read more about this?

Thanks,

Christopher Stauffer <
Enterprise SMS Admin
MCTS ConfigMgr 2007
MCP SMS 2003
mail: CStauffer@myitforum.com
Blog: http://myitforum.com/cs2/blogs/cstauffer/
Coordinator
Aug 30, 2011 at 3:46 PM

Search for ASP.Net Impersonation. A quick guide can be found at http://technet.microsoft.com/en-us/library/cc730708(WS.10).aspx.

Regards

Maik